http://searchitchannel.techtarget.com/feature/Fibre-Channel-address-weaknesses

Figure 2.1 Five layers of a Fibre Channel frame.

Figure 2.2 shows an example of the header information in Fibre Channel layer 2.

Now that we have established that attacks don't change, but they do get modified, let's discuss another attack that stems network and application history. Manipulation of the 24-bit fabric address can cause significant damage and denial of service in a SAN.

Each node in a SAN has a 24-bit fabric address that is used for routing, among other things. Along with routing frames correctly to/from their source and destinations, the 24-bit address is also used for name server information. The name server is a logical database in each Fibre Channel switch that correlates a node's 24-bit fabric address to their 64-bit WWN. Additionally, the name server is also responsible for other items, such as mapping the 24-bit fabric address and 64-bit WWN to the authorized LUNs in the SAN. Furthermore, address information is also used for soft and hard zoning procedures (discussed in the Chapter 4, "SANs: Zone and Switch Security"). The 24-bit fabric address of a node determines route functions with soft and hard zoning procedures, specifically if a frame is allowed to pass from one zone to the other. While there are several other uses of the 24-bit address, the use of the address in name servers and zoning procedures are by far the most important in terms of security.

The major issues with the 24-bit address is that it is used for identification purposes for both name server information and soft/hard zone routing, almost like an authorization process, but it is an entity that can be easily spoofed. Using any traffic analyzer, the 24-bit source address of a Fibre Channel frame could be spoofed as it performs both PLOGI (Port Login) and FLOGI (Fabric Login) procedures.

In Fibre Channel, there are three different types of login—Port Login, Fabric Login, and Node Login. Two can be corrupted with a spoofed 24-bit fabric address. Before we discuss how spoofing disrupts these processes, let's discuss the login types first.

FABRIC LOGIN (FLOGI), PORT LOGIN (PLOGI), AND NODE LOGIN (NLOGI)

The Fabric Login (FLOGI) process allows a node to log in to the fabric and receive an assigned address from a switch. The FLOGI occurs with any node (N_Port or NL_Port) that is attached to the fabric. The N_Port or NL_Port will carry out the FLOGI with a nearby switch. The node (N_Port or NL_Port) will send a FLOGI frame that contains its node name, its N_Port name, and any service parameters. When the node sends its information to the address of 0xFFFFFE, it uses the 24-bit source address of 0x000000 because it hasn't received a legitimate 24-bit address from the fabric yet. The FLOGI will be sent to the well-known fabric address of 0xFFFFFE, which is similar to the broadcast address in an IP network (though not the same). The FC switches and fabric will receive the FLOGI at the address of 0xFFFFFE. After a switch receives the FLOGI, it will give the N_Port or NL_Port a 24-bit address that pertains to the fabric itself. This 24-bit address with be in the form of Domain-Area-Port address from, where the Domain is the unique domain name (ID) of the fabric, Area is the unique area name (ID) of the switch within the domain, and Port is the unique name (ID) of each port within the switch in the fabric. Table 2.3 shows how the 24-bit address is made.

Table 2.3 24-Bit addresses

24-Bit Address Type
Description

8-bit domain name
Unique domain ID in a fabric. Valid domain IDs are between 1 and 239.

8-bit area name
Unique area ID on a switch within a fabric. Valid area IDs are between 0 and 255.

8-bit port name
Unique area ID on a switch within a fabric. Valid area IDs are between 0 and 255.

A 24-bit address (port ID) uses the following formula to determine a node's address:

Domain_ID x 65536 + Area_ID x 256 + Port_ID = 24 bit Address

An example address for and node on the first domain (domain ID of 1), on the first switch (area ID of 0), and the first port (port ID of 1), would be the following:

1 x 65536 + 0 x 256 + 1 = 65537 (Hex: 0x10001)

After the node has completed the FLOGI and has a valid 24-bit fabric address, it will perform a Port Login (PLOGI) to the well-known address of 0xFFFFFC to register its new 24-bit address with the switch's name server, as well as submit information on its 64-bit port WWN, 64-bit node WWN, port type, and class of service. The switch then registers that 24-bit fabric address, along with all the other information submitted, to the name server and replicates that information to other name servers on the switch fabric. Figures 2.14 and 2.15 show the FLOGI and PLOGI processes.

Figure 2.14 FLOGI process.

Figure 2.15 PLOGI process.

A Node Login is somewhat similar to a Fabric Login, but instead of logging in to the fabric, the node would log in to another node directly (node to node communication). The node will not receive any information from the fabric, but will receive information from the other node as it relates to Exchange IDs (OX_ID and RX_ID) and session information (Seq_ID and Seq_CNT). After this information has been exchanged, the two nodes will begin to communicate with each other directly.

Fibre Channel address weaknesses的更多相关文章

  1. Fibre Channel和Fiber Channel

    Fibre Channel也就是"网状通道"的意思,简称FC.   由于Fiber和Fibre只有一字之差,所以产生了很多流传的误解. FC只代表Fibre Channel,而不是 ...

  2. Fiber Channel SAN Storage

    http://www.infotechguyz.com/VMware/FiberChannelSANStorage.html Using Fibre Channel with ESX/ESXi Fib ...

  3. Firbe Channel光纤信道

    简介 中文名:网状信道 外文名:Fibre Channel 简    称:FC 光纤信道是一种高速网络技术标准(T11),主要应用于SAN(存储局域网).其拓扑结构分为三种,点到点.仲裁循环.交换结构 ...

  4. EtherType

    EtherType is a two-octet field in an Ethernet frame. It is used to indicate which protocol is encaps ...

  5. ibm v3700

    raid5总容量计算(n-1)*最小盘容量RAID0:N块盘组成,逻辑容量为N块盘容量之和:RAID1:两块盘组成,逻辑容量为一块盘容量:RAID3:N+1块盘组成,逻辑容量为N块盘容量之和:RAID ...

  6. openstack Icehouse发布

    OpenStack 2014.1 (Icehouse) Release Notes General Upgrade Notes Windows packagers should use pbr 0.8 ...

  7. Linux就这个范儿 第16章 谁都可以从头再来--从头开始编译一套Linux系统 nsswitch.conf配置文件

    Linux就这个范儿 第16章 谁都可以从头再来--从头开始编译一套Linux系统  nsswitch.conf配置文件 朋友们,今天我对你们说,在此时此刻,我们虽然遭受种种困难和挫折,我仍然有一个梦 ...

  8. WebLogic集群案例分析

    WebLogic集群案例分析 2012年8月,某证券交易系统(采用Weblogic中间件),由于基金业务火爆,使系统压力太大,后台服务器频繁死机时,这时工程师们紧急调试系统及恢复操作,等完成这些操作花 ...

  9. Linux下编译内核配置选项简介

    Code maturity level options代码成熟度选项 Prompt for development and/or incomplete code/drivers 显示尚在开发中或尚未完 ...

随机推荐

  1. Xcode 5.0.1安装插件:规范注释生成器VVDocumenter + OSX 10.9.2

    终于有时间停下来玩下Xcode的插件了,最近需要用下规范注释生成器,于是装了个插件用下. 下面是安装过程(简单的不得了): 1.前往GitHub下载工程文件:VVDocumenter-Xcode 2. ...

  2. Linux学习11-CentOS如何设置java环境变量

    前言 之前用yum安装的java,现在想添加环境变量,yum安装的java路径在哪呢?如何找到安装的路径,把jdk添加到环境变量. 本篇详细讲解linux系统设置java环境变量 找到jdk路径 之前 ...

  3. IP视频通信中的"丢包恢复技术”(LPR)

    转自:http://blog.csdn.net/blade2001/article/details/9094709 在IP视频通话中,即使是在丢包率很小的情况下也会对使用效果造成较为明显的影响.正是由 ...

  4. Android反编译工具的用法

    Android的APK文件时可以反编译的,通过反编译我们就能查看到大体的代码,帮助学习.反编译仅仅提供的是学习的方式,禁止使用该技术进行非法活动. 其实就是两个命令: 1:运行(WIN+R)-> ...

  5. SQL文件的BOM问题导致的invalid character错误及解决

    最近在做数据的搬运工,将Oracle中的数据搬运到ES中,方案很成熟了,使用Logstash的jdbc-input执行SQL,然后将结果输出到ES中.这么简单的问题,在测试环境中测试也一帆风顺,可一上 ...

  6. Java命令学习系列(七)——javap

    javap是jdk自带的一个工具,可以对代码反编译,也可以查看java编译器生成的字节码. 一般情况下,很少有人使用javap对class文件进行反编译,因为有很多成熟的反编译工具可以使用,比如jad ...

  7. [转] hive0.14-insert、update、delete操作测试

    FROM : http://blog.csdn.net/hi_box/article/details/40820341 首先用最普通的建表语句建一个表: hive>create table te ...

  8. 洛谷 P1138 第k小整数

    题目描述 现有n个正整数,n≤10000,要求出这n个正整数中的第k个最小整数(相同大小的整数只计算一次),k≤1000,正整数均小于30000. 输入输出格式 输入格式: 第一行为n和k; 第二行开 ...

  9. ASP.NET MVC:无法向会话状态服务器发出会话状态请求

    ylbtech-Error-ASP.NET MVC: 无法向会话状态服务器发出会话状态请求 无法向会话状态服务器发出会话状态请求.请确保 ASP.NET State Service (ASP.NET ...

  10. Intent 简介 结构 传递数据 常见Action 常量 MD

    Markdown版本笔记 我的GitHub首页 我的博客 我的微信 我的邮箱 MyAndroidBlogs baiqiantao baiqiantao bqt20094 baiqiantao@sina ...